A private member’s bill tabled in the House of Commons Wednesday would greatly enhance the powers of the federal privacy commissioner, but one former commissioner wants to know why the legislation is coming from an individual MP rather than the government.

The European Union’s tough new data privacy rules have created an “urgency” around the world to follow suit, said Ann Cavoukian, a former Ontario privacy commissioner. And she questioned why the Canadian government isn’t acting with more urgency.

“I do not understand why the government wouldn’t be leading on this. That astounds me,” said Cavoukian, who pointed to recent polling on the issue as proof that beefed up privacy rules would be relatively uncontroversial.

Although Prime Minister Justin Trudeau has expressed cautious interest in boosting Canada’s privacy laws along the lines of the European model, no legislation has been proposed. Backbench Liberal MP Nathaniel Erskine-Smith, who introduced the bill Wednesday, said he was not trying to force the government’s hand but simply to put the issue up for debate with some concrete proposals.

Although the privacy commissioner’s powers are just one part of the problem, it’s the change that has nearly unanimous support, Erskine-Smith said.

An all-party committee studying recent data breaches has twice recommended the enhanced powers but, so far, there’s been no movement from the government on legislation.

While the EU leads the way, Canada is still employing a privacy commissioner whose “hands are tied,” said Cavoukian, who is now the distinguished expert at the Privacy By Design Centre of Excellence at Ryerson University.

The power to order rule-breakers to comply with privacy laws was vital to her work as the Ontario commissioner, said Cavoukian.

Without order-making power, Erskine-Smith described the federal privacy commissioner as more of an ombudsman than a regulator, relegated to simply offering advice to anyone breaking Canada’s privacy rules.

Cavoukian said the threat of using her order-making abilities was usually enough to solve most problems and helped stop companies from simply ignoring the commissioner.

“I had the stick, but rarely had to use it,” Cavoukian said.

Erskine-Smith’s bill would institute a new legal process to prosecute organizations that intentionally or recklessly break privacy laws and allow the courts to levy financial penalties.

The penalties would be consistent with the European ones, with a fine of up to $30 million levied for indictable offences and up to $15 million for less serious “summary” offences. Authorities in Europe do have the ability to levy fines up to four per cent of a company’s global revenue, which is designed to make massive companies like Google and Facebook take notice. That would not be an option for Canadian authorities under the proposed legislation.

If rule-breakers have taken reasonable precautions and have simply made a mistake, that could allow them some leniency on the financial sanctions. Other mitigating factors on fines are the size of the organization and its willingness to cooperate.

On Tuesday, the government announced a summer-long consultation process into “digital and data transformation,” which can now consider some of the proposals in Erskine-Smith’s bill.

The process, though, could take years. Canadian companies with European customers are already struggling to understand how the new regulations in Europe apply to them.

With the major jump forward in the EU, Canada has lost its “essential equivalence” with Europe, said Cavoukian, which can negatively affect a trading relationship.

Avery Swartz, a Toronto tech consultant who has advised companies on GDRP compliance, said many of them were blindsided by the changes.

“The pulse I’m getting from Canadian organizations… is that the (new European rules) came and kind of surprised everyone. I think a lot of businesses were not aware that it was something they were going to be considering,” said Swartz.

Multinational companies are also looking for safe havens from the European regulations.

In April, Reuters reported that Facebook was changing its terms of service to reduce the company’s exposure to the European rules. Users outside of Canada and the United States were previously governed by terms agreed with Facebook’s international headquarters in Ireland, possibly giving them protections under the GDPR. With the switch, Facebook “removes a huge potential liability,” given the hefty fines in Europe.

Facebook wasn’t the only company looking for relief and the trend prompted concerns that the world could be split up into data “safe zones” and “red zones.”

“Far from being a force for equalization and inclusion, digital technology penetration and the degree of data protection could become a new form of inequality,” wrote Bhaskar Chakravorti, the dean of global business at Tufts University’s Fletcher School, in the Harvard Business Review, arguing that citizens of developing countries would have significantly worse protection than those in the developed world.

Analysis by the investment bank Goldman Sachs shows that strict regulations can impact a company’s bottomline in a way that public outrage often doesn’t. Facebook can expect a revenue hit of up to 7 per cent if it struggles to get consent from its users in Europe for their personal data, the bank reported.

That contrasts starkly with the 61 per cent boost in profit Facebook saw in 2017, in a difficult, scandal-plagued year.

While someone might eat a Beyond Meat burger for ethical reasons, it does little for that person's health. In fact, it might be more harmful than good

This Week's Flyers

Comments

Postmedia is pleased to bring you a new commenting experience. We are committed to maintaining a lively but civil forum for discussion and encourage all readers to share their views on our articles. We ask you to keep your comments relevant and respectful. Visit our community guidelines for more information.